trbac: a temporal role-based access control model

TRBAC: A Temporal Role-TRBAC: A Temporal Role-Based Access Control ModelBased Access Control Model

Elisa Bertino

CERIAS and CS Department

Purdue University

Purdue UniversityElisa Bertino

What is TRBAC?What is TRBAC?

RBAC Model [Sandhu 98]

Temporal constraints on role activations/deactivations


What is TRBAC?What is TRBAC?

An active role is a role that a user can activate during a session (that is,the user can acquire the role’s)

A role can be active in certain time periods and non active in other:Role activation: non active activeRole deactivation: active non active


Why TRBAC?Why TRBAC?

Often roles are characterized by a temporal dimension :Job functions may have limited or periodic

time durationThere may be activation dependencies

among roles


TRBAC: Main FeaturesTRBAC: Main Features

Periodic activations/deactivations of roles

Temporal dependencies among role activations/deactivations

ROLE TRIGGERS



Role triggers may cause either:Immediate activations/deactivations, orDeferred activations/deactivations

Run-time requests to dynamically change the status of a role



Priorities for:Periodic activations/deactivationsRole triggersRunt-time requests

Priorities are used for conflict resolution


TRBAC: Periodic EventsTRBAC: Periodic Events

Definition: (Periodic Event) A periodic event is a tuple (I,P,p:E) where I is

a time interval, P is a periodic expression, p:E is a prioritized event expression, E {activate R, deactivate R}, RRoles

([7/1/00,12/31/00], night-time, VH: activate, doctor-on-night-duty)

([7/1/00,12/31/00], day-time, VH: deactivate, doctor-on-night-duty)


TRBAC: Role TriggersTRBAC: Role Triggers

Definition: (Role Trigger) Role triggers are of the form:

E1,…En,C1,…Ck p:E after t where Ei’s are event expressions, Ei

{activate R, deactivate R}, Cj’s are role status expressions, Cj {active R, not active R}, RRoles, p:E is a prioritized event expression and t is a temporal displacement


Role Triggers: ExampleRole Triggers: Example

activate doctor-on-night-duty VH: activate nurse-on-nigth-duty

activate nurse-on-day-duty H: activate nurse-on-training after 2 Hours


Role Activation BaseRole Activation Base

([1/1/00,12/31/00], night-time, VH:activate doctor-on-night-duty)

([1/1/00,12/31/00], day-time, VH:deactivate doctor-on-night-duty)

([1/1/00,12/31/00], day-time, VH:activate doctor-on-day-duty)

([1/1/00,12/31/00], night-time, VH:deactivate doctor-on-day-duty)

activate doctor-on-night-duty H: activate nurse-on-nigth-duty

deactivate doctor-on-night-duty H: deactivate nurse-on-nigth-duty

activate doctor-on-day-duty H: activate nurse-on-day-duty

deactivate doctor-on-day-duty H: deactivate nurse-on-day-duty

activate nurse-on-day-duty H: activate nurse-on-training after 2 Hours

deactivate nurse-on-day-duty VH: deactivate nurse-on-training

RAB = Periodic Events + Role Triggers


TRBAC: Runtime Request TRBAC: Runtime Request ExpressionsExpressions

Definition: (Runtime Request Expression) A runtime request expression has the form:

p:E after t where p:E is a prioritized event expression and

t is a temporal displacement

deactivate nurse-on-training after 2 Hours

activate emergency-doctor


TRBAC: Formal AspectsTRBAC: Formal Aspects

The Execution Model of a RAB specifies, for each istant t, the set of events that should occur at time t according to:periodic events & triggers in the RABruntime request expressionspriorities



Some specifications may yield no execution model, while some ambiguos specifications may admit two or more models activate R deactivate S

activate S deactivate R

Requests: activate R, activate S



Safeness condition that guarantees that a given RAB has exactly one model

It exploits the notion of dependency graphNo cycles involving conflicting events

Safeness check is polynomial in the RAB dimension


TRBAC: Architectural AspectsTRBAC: Architectural Aspects

At each time it is necessary to know which are the active roles, on the basis of the RAB and runtime requests

A request by a user to activate a role is authorized if:The user has the authorization to play that

roleThe role is active at the time of the request


Triggersupport

ActionHandler

DA Handler

RTRHandler

PE Handler

DeferredActions

Triggers

SafenessChecker

runtime requests

triggers

Actions

Active Roles

Events

Periodic events

It is in charge of firing triggers according to their priorities. If the action(s) caused by the trigger(s) are instantaneous, it returns them to the Action Handler. If the actions have to be deferred, it inserts them into Deferred_Actions

A Possible ArchitectureA Possible Architecture

A global event base which records The activations/deactivations of roles

A table which contains the actions to be potentially executed on Active_RolesA table which contains the

specified triggers

It is in charge of managing periodic events and inserting/deleting the corresponding actions into/from table Deferred_Actions

A table which contains an entry for each deferred action

It is activated each time a trigger is inserted/modified to verify whether safeness is preserved

It is activated each time a runtime request is issued. If the request is for an immediate action, it returns the action to the Action_Handler, if it is for a deferred action, it inserts the action into Deferred_Actions

A table which contains theroles that can be activated

It is in charge of executing deferred actions on the basis of the content of table Deferred_Actions

It is in charge of updating table Active_Roles according to the requests of the other modules. It uses table Actions to solve potential conflicts


Generalized TRBAC (GTRBAC)Generalized TRBAC (GTRBAC)

Motivations:TRBAC does not distinguish between a role

being enabled and a role being activeA role is enabled if the temporal conditions

associated with it are satisfiedA role is active if a user has logged in the

roleOnly enabled roles can be activatedBecause of such limitations, TRBAC cannot

support some forms of constraints, such as the maximum number of activations of a role by a user in a given time interval


GTRBACGTRBAC

GTRBAC extends TRBAC by introducing temporal conditions on:User-role assignmentsRole-permission assignments

A large number of constraints can thus be supported


GTRBAC – Examples of GTRBAC – Examples of ConstraintsConstraints

Constraints on the number of concurrent activations“there can be at most 10 users activating

the role DayDoctor at a time” Constraints on the number of total

activations in a given period“the role HeadNurse can be activated at

most 2 times per day”


X-GTRBAC - MotivationsX-GTRBAC - Motivations

Role Based Access Control Model

Many benefits over traditional access control models when applied to emerging applications

XML is a uniform platform for information interchange

Our GoalXML + RBAC extension

To provide access control framework for Web-Services environments


X-GTRBAC - why XML?X-GTRBAC - why XML?

XML - main benefits:

Uniform, vendor-neutral representation of enterprise data

Mechanism for interchange of information across heterogeneous systems

Extensible syntax and semantics Widespread support from main platforms and

tool vendors


X-RBAC LanguageX-RBAC Language

XML User Sheet (XUS) Users

Modeling RBAC Elements

XML Role Sheet (XRS) Roles

XML Permission Sheet (XPS) Permissions

- credential types XML CredType Definition

- separation of duty XML SoD Definition

- temporal constraints XML TempConst Definition

- triggers XML Trigger Definition



Policy Administration

XML User-to-Role Assignment Sheet (XURAS)

User-to-Role Assignment

XUS XRS

XURAS



Policy Administration

XML Permission-to-Role Assignment Sheet (XPRAS)

Permission-to-Role Assignment

XPS XRS

XPRAS

XUS GrammarXUS Grammar</XUS> <!-- User Definitions ></XUS>

<!-- User Definitions >::=<Users> {<!-- User Definition>}+</Users>

<!—CredType > ::=<CredType cred_type_id =(id)> <type_name> (name)</type_name> <!-- Credential Expression></CredType>

<!-- User Definition> ::= <User user_id = (id)> <UserName> (name) </UserName> {<!--CredType>}+ <MaxRoles>(number)</MaxRoles></User>

<!-- Credential Expression> ::=<CredExpr> {<(attribute name)> (attribute value) </(attribute name)>}+</CredExpr>


An XML instance of XUSAn XML instance of XUS<XUS> <User user_id=“j1"> <UserName >John</ UserName > <CredType cred_type_id ="C100"> < type_name >Nurse</type_name> <CredExpr> <age> 30 </age> <field> opthalmology </field> <level> 5 </level> <status> single </status> </CredExpr>

</CredType> < MaxRoles>2</MaxRoles> </User > <User > … </User > ….</XUS>

XRS GrammarXRS Grammar

<!-- XML Role Sheet> ::=<XRS [xrs_id = (id) ]> {<!-- Role Definitions>}+</XRS>

<!-- Role Definitions> ::=<Roles> <Role role_id = (id) <RoleName> (role name)> <RoleName>

[<!--{En|Dis}abling Constraint>][<!--[De]Activation Constraint>]{<SSDRoleSetID> (id) </SSDRoleSetID>}*{<DSDRoleSetID> (id) </DSDRoleSetID>}*{<Junior> (name) </Junior>}*{<Senior> (name) </Senior>}*[<Cardinality>(number)</Cardinality>]

</Role> <Role> .. </Role> ..<Roles>


An XML instance of XRSAn XML instance of XRS<XRS> <Roles > <Role role_id = "R100"> <RoleName> Nurse </ RoleName > <Senior> Eye_Doctor </ Senior>

<Cardinality> 8 </ Cardinality > </Role> <Role role_id = "R200"> <RoleName> Eye_Doctor </RoleName> < DSDRoleSetID>DSD1</ DSDRoleSetID >

< Junior>Nurse</ Junior><Senior> Eye_Surgeon </Senior><Cardinality> 6 </Cardinality>

</Role> </Roles></XRS >

XPS GrammarXPS Grammar

<!-- XML Permission Sheet> ::=<XPS [xps_id = (id) ]> {<!-- Permission Definitions>}+</XPS>

<!-- Permission Definitions> ::=<Permission perm_id = id [prop= (prop op)] > <Object type=(type name) id=(id)/> <Operation> (access op) </Operation></Permission>


An XML instance of XPSAn XML instance of XPS

<XPS> <Permission perm_id ="P1"> <Object type = “Schema” id = “XS101” />

<Operation> all</operation> </Permission > <Permission perm_id ="P2">

<Object type = “Instance” id = “XI100” /><Operation> all</operation>

</Permission > <Permission perm_id ="P3">

<Object type = “Element” id = “XE100” /><Operation> navigate </operation>

</Permission ></XPS>


Example of XURASExample of XURAS<XURAS> <URA_id="URA1"> <RoleName> Eye_Doctor</ RoleName> <Users> <User user_id=“s1“ /> <User user_id=“s2“ /> </Users > <CredConditions> <CredCondition> <CredType> Doctor </CredType> <LogicalExpr op="AND"> <Predicate> <operator>eq</operator> <name_param>field</name_param> <value_param> Eye </value_param> </Predicate> <Predicate> <LogicalExpr op="OR">

<Predicate> <operator> lt </operator> <name_param> age </name_param> <value_param> 60 </value_param> </Predicate> <Predicate> <operator> gt </operator> <name_param> level </name_param> <value_param> 7 </value_param> </Predicate> </LogicalExpr> </Predicate> </LogicalExpr > </CredCondition> </CredConditions ></URA> </XURAS>


Example of XPRASExample of XPRAS

<XPRAS> <PRA pra_id="PRA1"> <RoleName> Nurse </RoleName> <Permissions> <perm_id> P3 </perm_id> </Permissions> </PRA> <PRA pra_id="PRA2"> <RoleName> Eye_Doctor </RoleName> <Permissions> <perm_id> P1 </perm_id> <perm_id> P2 </perm_id> </Permissions> </PRA> </XPRAS>


X-RBAC System ArchitectureX-RBAC System Architecture

RBAC Module

UR ,PR DataSet {TRIG DataSet}

SessionsDataSet

DOM

XML Parser

XMLSessions

Log

RBAC Processor

X-RBAC Module

Policy Loader

Policy Validation

Module

XML Processor

XML/SOAP

Authorization

Data Item

Functional Module

Legend:XML/SOAP

AccessRequest

Document Composition Module

XML Policy Base


On-going WorkOn-going Work

Extension of the constraint languageConstraints on the set of roles a user can

activate Obbligations & Duties Development of graphical tools for

TRBAC administration Testing on an Healthcare information

system

trbac: a temporal role-based access control model

Documents

role elisa bertinotrbac

role trigger role triggers

rolesa role

role triggers definition

periodic expression

role status expressions

periodic events triggers

periodic time durationthere